mirror of
https://github.com/caddyserver/caddy.git
synced 2026-02-15 07:52:08 -05:00
03e6e439dd
Some checks failed
Tests / test (./cmd/caddy/caddy, ~1.25.0, ubuntu-latest, 0, 1.25, linux) (push) Failing after 16s
Tests / test (s390x on IBM Z) (push) Has been skipped
Tests / goreleaser-check (push) Has been skipped
Cross-Build / build (~1.25.0, 1.25, aix) (push) Failing after 13s
Cross-Build / build (~1.25.0, 1.25, dragonfly) (push) Failing after 52s
Cross-Build / build (~1.25.0, 1.25, freebsd) (push) Failing after 14s
Cross-Build / build (~1.25.0, 1.25, illumos) (push) Failing after 13s
Cross-Build / build (~1.25.0, 1.25, linux) (push) Failing after 14s
Cross-Build / build (~1.25.0, 1.25, netbsd) (push) Failing after 15s
Cross-Build / build (~1.25.0, 1.25, openbsd) (push) Failing after 14s
Cross-Build / build (~1.25.0, 1.25, solaris) (push) Failing after 14s
Cross-Build / build (~1.25.0, 1.25, windows) (push) Failing after 13s
Lint / lint (ubuntu-latest, linux) (push) Failing after 14s
Lint / govulncheck (push) Successful in 1m42s
Lint / dependency-review (push) Failing after 14s
OpenSSF Scorecard supply-chain security / Scorecard analysis (push) Failing after 13s
Cross-Build / build (~1.25.0, 1.25, darwin) (push) Failing after 12m18s
Tests / test (./cmd/caddy/caddy, ~1.25.0, macos-14, 0, 1.25, mac) (push) Has been cancelled
Tests / test (./cmd/caddy/caddy.exe, ~1.25.0, windows-latest, True, 1.25, windows) (push) Has been cancelled
Lint / lint (macos-14, mac) (push) Has been cancelled
Lint / lint (windows-latest, windows) (push) Has been cancelled
When a request arrives via a Unix domain socket (RemoteAddr == "@"), net.SplitHostPort fails, causing addForwardedHeaders to strip all X-Forwarded-* headers even when the connection is trusted via trusted_proxies_unix. Handle Unix socket connections before parsing RemoteAddr: if untrusted, strip headers for security; if trusted, let clientIP remain empty (no peer IP for a Unix socket hop) and fall through to the shared header logic, preserving the existing XFF chain without appending a spurious entry. Amp-Thread-ID: https://ampcode.com/threads/T-019c4225-a0ad-7283-ac56-e2c01eae1103 Co-authored-by: Amp <amp@ampcode.com>
128 lines
3.9 KiB
Go
128 lines
3.9 KiB
Go
package reverseproxy
|
|
|
|
import (
|
|
"context"
|
|
"net/http/httptest"
|
|
"testing"
|
|
|
|
"github.com/caddyserver/caddy/v2/modules/caddyhttp"
|
|
)
|
|
|
|
func TestAddForwardedHeadersNonIP(t *testing.T) {
|
|
h := Handler{}
|
|
|
|
// Simulate a request with a non-IP remote address (e.g. SCION, abstract socket, or hostname)
|
|
req := httptest.NewRequest("GET", "/", nil)
|
|
req.RemoteAddr = "my-weird-network:12345"
|
|
|
|
// Mock the context variables required by Caddy.
|
|
// We need to inject the variable map manually since we aren't running the full server.
|
|
vars := map[string]interface{}{
|
|
caddyhttp.TrustedProxyVarKey: false,
|
|
}
|
|
ctx := context.WithValue(req.Context(), caddyhttp.VarsCtxKey, vars)
|
|
req = req.WithContext(ctx)
|
|
|
|
// Execute the unexported function
|
|
err := h.addForwardedHeaders(req)
|
|
|
|
// Expectation: No error should be returned for non-IP addresses.
|
|
// The function should simply skip the trusted proxy check.
|
|
if err != nil {
|
|
t.Errorf("expected no error for non-IP address, got: %v", err)
|
|
}
|
|
}
|
|
|
|
func TestAddForwardedHeaders_UnixSocketTrusted(t *testing.T) {
|
|
h := Handler{}
|
|
|
|
req := httptest.NewRequest("GET", "http://example.com/", nil)
|
|
req.RemoteAddr = "@"
|
|
req.Header.Set("X-Forwarded-For", "1.2.3.4, 10.0.0.1")
|
|
req.Header.Set("X-Forwarded-Proto", "https")
|
|
req.Header.Set("X-Forwarded-Host", "original.example.com")
|
|
|
|
vars := map[string]interface{}{
|
|
caddyhttp.TrustedProxyVarKey: true,
|
|
caddyhttp.ClientIPVarKey: "1.2.3.4",
|
|
}
|
|
ctx := context.WithValue(req.Context(), caddyhttp.VarsCtxKey, vars)
|
|
req = req.WithContext(ctx)
|
|
|
|
err := h.addForwardedHeaders(req)
|
|
if err != nil {
|
|
t.Fatalf("expected no error, got: %v", err)
|
|
}
|
|
|
|
if got := req.Header.Get("X-Forwarded-For"); got != "1.2.3.4, 10.0.0.1" {
|
|
t.Errorf("X-Forwarded-For = %q, want %q", got, "1.2.3.4, 10.0.0.1")
|
|
}
|
|
if got := req.Header.Get("X-Forwarded-Proto"); got != "https" {
|
|
t.Errorf("X-Forwarded-Proto = %q, want %q", got, "https")
|
|
}
|
|
if got := req.Header.Get("X-Forwarded-Host"); got != "original.example.com" {
|
|
t.Errorf("X-Forwarded-Host = %q, want %q", got, "original.example.com")
|
|
}
|
|
}
|
|
|
|
func TestAddForwardedHeaders_UnixSocketUntrusted(t *testing.T) {
|
|
h := Handler{}
|
|
|
|
req := httptest.NewRequest("GET", "http://example.com/", nil)
|
|
req.RemoteAddr = "@"
|
|
req.Header.Set("X-Forwarded-For", "1.2.3.4")
|
|
req.Header.Set("X-Forwarded-Proto", "https")
|
|
req.Header.Set("X-Forwarded-Host", "spoofed.example.com")
|
|
|
|
vars := map[string]interface{}{
|
|
caddyhttp.TrustedProxyVarKey: false,
|
|
caddyhttp.ClientIPVarKey: "",
|
|
}
|
|
ctx := context.WithValue(req.Context(), caddyhttp.VarsCtxKey, vars)
|
|
req = req.WithContext(ctx)
|
|
|
|
err := h.addForwardedHeaders(req)
|
|
if err != nil {
|
|
t.Fatalf("expected no error, got: %v", err)
|
|
}
|
|
|
|
if got := req.Header.Get("X-Forwarded-For"); got != "" {
|
|
t.Errorf("X-Forwarded-For should be deleted, got %q", got)
|
|
}
|
|
if got := req.Header.Get("X-Forwarded-Proto"); got != "" {
|
|
t.Errorf("X-Forwarded-Proto should be deleted, got %q", got)
|
|
}
|
|
if got := req.Header.Get("X-Forwarded-Host"); got != "" {
|
|
t.Errorf("X-Forwarded-Host should be deleted, got %q", got)
|
|
}
|
|
}
|
|
|
|
func TestAddForwardedHeaders_UnixSocketTrustedNoExistingHeaders(t *testing.T) {
|
|
h := Handler{}
|
|
|
|
req := httptest.NewRequest("GET", "http://example.com/", nil)
|
|
req.RemoteAddr = "@"
|
|
|
|
vars := map[string]interface{}{
|
|
caddyhttp.TrustedProxyVarKey: true,
|
|
caddyhttp.ClientIPVarKey: "5.6.7.8",
|
|
}
|
|
ctx := context.WithValue(req.Context(), caddyhttp.VarsCtxKey, vars)
|
|
req = req.WithContext(ctx)
|
|
|
|
err := h.addForwardedHeaders(req)
|
|
if err != nil {
|
|
t.Fatalf("expected no error, got: %v", err)
|
|
}
|
|
|
|
if got := req.Header.Get("X-Forwarded-For"); got != "" {
|
|
t.Errorf("X-Forwarded-For should be empty when no prior XFF exists, got %q", got)
|
|
}
|
|
if got := req.Header.Get("X-Forwarded-Proto"); got != "http" {
|
|
t.Errorf("X-Forwarded-Proto = %q, want %q", got, "http")
|
|
}
|
|
if got := req.Header.Get("X-Forwarded-Host"); got != "example.com" {
|
|
t.Errorf("X-Forwarded-Host = %q, want %q", got, "example.com")
|
|
}
|
|
}
|